Maybe it helps...
You can find a running Cisco pfSense VPN configuration here:

Cisco-pfSense with VTI

Unfortunately in German but the screenshot and config is pretty self explaining.

@cybertivo I'm surprised no one is interested in coming up with a solution for using pfSense with the new AT&T Residential Gateway like the awesome work from MonkWho for the BGW210.

feature request created: https://redmine.pfsense.org/issues/11211

feature request created: https://redmine.pfsense.org/issues/11211

@Ziomalski do you have any further ideas here?

Turns our issue was related to network settings. As the remove subnet was /24 and I had 3 local connected to it pfsense did not like this.

Anyhow, changed all three P2s into a single one 192.168.0.0/16 BINAT 10.201.0.0/16 remote 10.0.0.0/16
and now it works flawless!

Hi, the error was found and corrected in the VPN configuration on the AWS side.
The pfSense LAN subnet is entered there under "Local IPv4 Network Cidr".
The VPC subnet must be entered under "Remote IPv4 Network Cidr".

AWS -> "VIRTUAL PRIVATE NETWORK (VPN)" -> "Site-to-Site VPN Connections":

aws-vps-ipsec.png

@kevindd992002
Yes, exactly.
I was sure to 100% that I got it corrent on both sides, but well... wasn't the case here.

@e37921 said in Traffic from internet through IPSEC VTI not returning the same way:

@kevindd992002
The solution for me was to use OPENVPN. Netgate informed me that there are some limitations in the free bsd software that cause this issue. I deleted my IPsec vpn and then built the site to site vpn using open vpn in pfsense. All my policy based routing worked fine after the switch.

I am new to pfsense and was used to using IPsec vpn's with other firewalls. I had never used open vpn therefore I started with IPsec. Open vpn is very simple to setup and works well. I am using it for site to site vpn with pfsense on both sides as well as for mobile vpn.

Hope this helps you.

Eric

Yeah, it's the other way around for me. Everything was working fine with OpenVPN but I needed to switch to IPsec because the bandwidth I'm getting with OpenVPN is limited by my hardware (APU2C4).

I consulted @jimp and confirmed that the workaround for this issues is this. The only caveat for setting that is it breaks policy-based IPsec tunnels, so if you use both route-based and policy-based then that would be a problem. As I'm using only route-based IPsec then I'm good. I'm testing now.

@jimp said in Routed IPSec reply-to:

It's a limitation in FreeBSD and there isn't any way to know if/when it'll be fixed there. We may direct some resources toward it eventually but no ETA on when we might be able to do something like that.

In some cases you may be able to work around it. If most of your needs are for web-based services then HAProxy may be able to help. Client on far side hits HAProxy which proxies to internal host... Since the remote client is talking to HAProxy, and HAProxy is talking to the server, no need for reply-to.

For non-web-based services like Plex and Deluge where I need to port forward on the local end to access these servers on the far end, can HAProxy work? I tried outbound NAT with IPsec on the local end and it is not working. It works for OpenVPN just fine.

@jimp

But does outbound NAT to the IPsec interface address work without any problems? It's not working for me.

@vegbrasil said in Handling DNS resolution when IPsec is down:

I manage to fix this problem with a better "option 3":

Unbound on the branch office forwards only the needed zones to the main office, while all other zones are being forwarded to public DNS servers (root or not).

Here's the complete step by step:

Make sure you have your preferred external DNS server set in System -> General Setup -> DNS Server Settings. Run DNS Resolver on the remote pfSense box but for the "Outgoing" interface, make sure you use the "LAN" interface, not the WAN. This is needed so that the requests go across the tunnel. Under the "Domain Overrides", enter the domains that you need to have resolved by the DNS at the main branch (i.e. ad.company.com) and the IP address of those DNS servers. You can also add the in-addr.arpa to those forwarding domains as well if reverse lookups are needed. If you have more than one server, duplicate the entry but change the DNS IP. Change the DHCP server settings to used the LAN address of the pfSense box as their DNS servers.

In this case, when the tunnel drops, the only items that will fail to resolve will be the ones that specifically are forwarded to the main branch.

I have the same setup although instead of using LAN in the outgoing interfaces in unbound, I use localhost OR use both WAN and the IPsec interface (as I use Routed VTI). This works the same way as you did but I'm not sure if there's an advantage.

Anybody can help please?

Turns out this is not related to high traffic via IPsec.

As it seems, this is related to ipsec tunnel only able to keep up 2 childs from 3 total. So at a givem time only 2 childs are operatable. If a new request from client comes that is routed via 3rd child, one of 2 active CAs gets disconnected and connections are lost.

Is this settings related, have I set something wrong, cant find anything related...

*Minor Update to the diagram

Cisco IPsec Network.png

"Not My Cisco Router 2" had IP Address 123.45.67.90 instead of IP Address 123.45.89.90 on the original post's diagram. I do not think that this changes my questions.

The original diagram represent what is actually working using Cisco hardware.

The following diagram is what I presently I am presently doing:
pfSense IPsec Network.png

I am basically trying to replace the "My Cisco Router"

I have a working IPsec tunnel between LANS: 10.10.10.0/24 and 10.10.20.0/24. I did this to test if an IPsec VPN between two pfSense routers would work as expected and second check the configuration on "My pfSense Router". I can report that at least the tunnel between my pfSense routers works.

@konstanti said in command for ip xfrm state:

ipsec statusall
or
swanctl --list-sas
or
setkey -D

Thanks a lot!

Just checked: I have the same behavior with OpenVPN?! Maybe I'm stupid, but I don't understand this. Please enlighten me

Nope in addition to port 21 you need to pass the passive port range, for eaxmple 10000-20000 but that that could be anything depending on how you've configured it.
Also vsftp seems to use ftps so needs port 990 also for the encryption.

See: https://www.howtoforge.com/tutorial/ubuntu-vsftpd/

You should be able to see that traffic blocked in the firewall log though when you try to connect and it fails.

Steve

You should not really have an issue with a Draytek to ASA VPN, we have many of those running on multiple ASA firmwares and 2820s, 2860s (v3.9.4.1), 2862s, 29xx etc.

I can't specifically tell you how, as I am not the Cisco guy :-) If it helps most of ours run on IKEv1 with 3DES with auth, no PFS. We also run all the tunnels outbound on the Draytek to the Cisco., with P1 28800 and P2 3600, which is the Draytek default.

The solution is reasonably well documented on the Draytek knowledge bases and forums, and your Draytek reseller should have access to Draytek tech support, who are pretty helpful most of the time if you are clear on what the problem is.

Not wishing to undermine stephenw10 on the pfSense sell ;-), we have had no luck really in getting Draytek to play with pfSense running in Azure. Despite our best efforts we cannot get a stable solution. We can get pfSense to work with ASA all day long though, so it depends which end you might switch out for a pfSense.

Hi all , i should put that at the top of the topic, sorry.

Great idea!

mac OS Big Sur & iOS 14.3 Phase 1: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256 IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536 IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Phase 2: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ

pfSense version is: 2.4.5-RELEASE-p1 (amd64)

@derelict Someone is, however :)

@jimp

Right now I’m using a LastPass generated password 16 charachter and just saving the credentials . Just abit concerned about this approach as it’s just 1fa , I’m saving the password and the vpn gives full access to my network

Also, what does using certificates protect against ? Not sure on how it enhances security

@sgnoc
Cool 👍

Great that my brainstorming was of help

/Bingo

After even more investigation:
Seams like the rules from WAN to pfSense where in place and effective. But what was missing: An allow rule from IPSec to the LAN. Is this "works as designed"? Even the DNS (the pfSense itself) was not reachable...

Everything is explained. Thank you for your answers!

@jimp said in IPSec mobile without certificate:

There is an ACME package in pfSense, works great for me and many others. YMMV depending on your update method, though.

Great!
I just tested, it works! thank you
Do I have to configure an "Action" in the ACME service so that it restarts IPSec server when renewing the certificate to take the new certificat or does it happen automatically without restart?

@reschi1
Regarding the NAT/BINAT configuration in the phase #2 I found this one:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/phase-2-nat.html

I think this is what matches my case:

NAT - Overload/PAT Style If the Local Network is a subnet, but the NAT/BINAT Translation address is set to a single IP address, then a 1:many NAT (PAT) translation is set up that works like an outbound NAT rule on WAN. All outbound traffic will be translated from the local network to the single IP address in the NAT field.

I think that my phase #2 configuration I posted above is clearly non-sense, isn't it? I'm talking about the translation configuration:

Local Network: Address 123.231.231.227 NAT/BINAT translation: Address 123.231.231.227

To me it would be logical to configure it this way:

Local Network: Network LAN subnet NAT/BINAT translation: Address 123.231.231.227

Reconfigured it accordingly, but still no traffic. Leaves the previous question: Do I have to configure additional NAT settings apart from the phase #2 NAT/BINAT configuration?

What is more: I found this one https://forum.netgate.com/topic/140873/solved-inbound-traffic-with-nat-binat-translation-via-ipsec where it is claimed that not the site using a single IP address but the partner site has to configure NAT/BINAT settings. Now I'm rather confused.